It is devoted to victims of tragedy in New York on September, 11

"TITANIK" sunk on a cold April night. On a warm September morning two skyscrapers in New York were destroyed. Though being separated by a whole century, these events have much in common. They mark the end of the "gold" centuries of the mankind, the crash of the illusion of an absolute security and calmness. The implicit reasons are the following: disregard for vitally important information and for signals of danger, human negligence, self-interest, escape from responsibility, as well as new factors which constitute a threat to our life.
 
General security of people and the security of life maintenance include information security, as a big part. If we are informed that there will be an earthquake tomorrow, we will take every precaution to avoid victims and to lower the cost of damage. It is also impossible to arrange terrorist act without certain information basis. How could terrorists get the flight maps? Here are the following possible versions: the terrorists could have penetrated into computer networks of airlines and stolen the maps, someone from the airlines' staff could have sold them, or the maps were available for anyone due to the negligence of the staff. Why the ship crew, being aware of a dangerous ice condition, had not lowered the speed? This could be the result of personal ambitions, self-calmness or one's own interest. Why there were not enough boats for all the passengers? This could be the result of inaccurate calculations, cost savings during the ship construction, or everyone's confidence that the ship could never sink. The answers to these questions are far less important now than the fact that they had not been raised before the tragedies.
 
In my opinion, both tragedies mark the end of the "gold" centuries, when the mankind has realized its weak and vulnerable points, despite of being quite sure of its security. While America was asleep, the dark forces were preparing the terrorist act, buying or stealing the necessary information, calculating the possible trajectories of the flights, preparing highly skilled pilots. Some Americans even helped them. It is not that those citizens were bad or good, they could not even imagine the possible consequences. A plane instructor who trained the terrorist did not have a slightest idea of the way his experience would be used. The situation with the ship was almost as simple - the situation was dangerous, the ship was moving with great speed, but the crew was sure that the ship simply could not sink. We all know what happened in both cases.
 
People have created various security systems, computers, written many big and nice programs; however we have to admit that accidents are still possible. Natural cataclysms are now accompanied by technological and military accidents. Who can tell, whether the accident in Chernobyl was possible if the government was aware of the chaos at the nuclear station? And why the government was not aware of the state of affairs at the station? Or maybe it was actually aware, but did not take any measures (then there is a question - why?).
 
We shall try to understand, what was wrong here. If we analyze the available software, we will understand that the developers of automated control systems offer just some tools for creating the protection instead of offering certain decisions in the field of information protection. The proposed tools are based on the certain practiced standards, which have been successfully used in specific bodies and structures. However, no one can offer ready program technologies of protection; each company should construct it with the help of the tools. Here arises the question - are there many experts who understand the basic standards of information protection. It is possible to develop remarkable algorithms of protection, but against them there is one more weakness of people - we use our own names as the names of our computers, we use passwords like "123", "qwerty", etc., which can be easily broken by hackers. Moreover, have you ever seen a system constructed according to the principle of inheritance of rights and monitoring of information outflows on the basis of the company's structural scheme? Certainly, such system can be created with the help of the available tools in case it is clear what is necessary to build. And what do you usually get if you try to ask your system administrator about the information protection scheme? So, the policy of information protection in computer networks is determined within the framework of the general security system; it is not determined by a system administrator, whose main function is to strictly follow the ordered rules.
 
The following problem is a monitoring of information outflow - who sold the flight maps to the terrorists? Is it a secret? I do not think so. It is possible to prove that certain persons as well as the information itself tend to get grouped around the information. As well as the information attracts the intelligence, the latter attract the information. Your information system allows to send an inquiry about what questions have been of recent interest in your company and what and how often one can possibly do with this information (in case he uses it in the right way)? Here we have approached the following thesis. The access to information should be under constant control - who, when, why and what for, particularly if this information does not concern the professional interests and responsibilities of the company's associates.
 
It is impossible to organize mass terrorist acts so that nobody knew about it - there were people who created plans and gathered information, who prepared the pilots, who made the calculations of the target points and took an interest in algorithms of calculations - it is clear that the terrorists have left many traces. The question is why nobody noticed them (or maybe had not wanted to notice), why nobody asked what all this was made for, why nobody tried to prevent the tragedy on the preparation stage (no matter what the target might be)? Why the top crew of the ship inertly reacted to icebergs, neglected the danger and did not lower the speed; whom the owner of the ship wanted to surprise and where he hurried so much? Why in banks, equipped with expensive automation account systems, it is still possible to make large thefts. If one has systematized information on competitors, partners, conditions, operations, anything, connected with people's activities, then it is possible to prevent many events - to steal several million dollars is not the same as to steal a coin from the pocket. Thus, we have come to a conclusion that it is necessary to have information monitoring (espionage here seems unnecessary, as ninety percents of the information is published in open sources and if we apply proper analysis and aggregation methods it is possible to obtain interesting results).
 
Another interesting point is the correlation between the price of the information and the cost of the experts who own it. And do you have certain methods to estimate the cost of your information and what wages do you pay to those who own it? May they have an idea to sell it? How will you punish your associates if you suddenly learn about the information leak? And do your associates always share your ideas? Thus, it is clear that in case the sale price ten (or hundred) times exceeds the expert's wages, a threat to be fired will hardly prevent him from selling the confidential information (why should not he give the access passwords of the bank network to a familiar hacker, if such operation can bring him much more money, which will exceed his wages). The thesis is that the cost of the information security system should be comparable with the cost of the information itself (imagine, that you keep a very expensive diamond ring on a kitchen table - is not it absurd).
 
We have spoken about constant processes. But here is the question what measures are necessary and when? It would have been possible to avoid the tragedy if the captain of the ship had had such algorithm (law or rule) and certain powers, as he was responsible and, what is the most important, he was authorized to turn the ship or to lower the speed. Thus, it is necessary to have a system of notification and recognition of the information image, i.e. it is important to quickly determine external or internal influence on the system to cause an adequate protective reaction. These are those situations when some measures should be taken so that the house did not burn, the ship did not sink, and the plane did not crash. Here we speak about standard patterns and the system of their search, like the complex explosives search systems, which are being introduced in many airports. And what shall we do with more complicated questions, for example: at the airports a penknife is considered a terrorist instrument, and what about a knitting spoke or a favorite lighter; to what stereotype should belong those who can get an excellent education and to direct a plane into a residential building. Here is one more example: we have set many cameras of supervision, but several seconds are enough to throw a package with dangerous substance, which can be represented as a used napkin, into a garbage can - the observer can doze off, get distracted and miss the event. Consequently, the system should be able to react to some events without our participation and to draw our attention to them (it can be indistinctly recognized image or anything else, the only thing is clear -some certain measures should be taken). Thus, the security system should include both a system of notification and an algorithm of recognition of an event image, which will refer an event to a certain classifier.
 
As it is clear from our discussion, most theses confirm that information technologies are strongly related to people's activities and security. One should not artificially divide between business processes and the applied information supply. Here we speak about the integrity of the system "person - information supply" ("person - computer"), about the creation of good analysis and monitoring systems, as effective tools of prevention of social cataclysms, as well as about their easy use and availability. Finally, one should not consider different security types separately. They are united and only their complex use can provide security to human society, as it is quite obvious for me, an expert in the field of information supply, that the most important factors in all large tragedies are: neglect of the human factor and official duties, artificial division and fear of the responsibility.
 
Here you can download free software, which will allow you to create unique, complex and difficult to guess computer and user names as well as passwords for all the users of your computer network.

Last modified: 12.01.2003
Translation by Elena Polyanskaya